With the FIFA World Cup 2026 underway across North America, researchers have turned up a significant security flaw in FIFA's streaming infrastructure: unenforced Microsoft Entra ID access controls that could have allowed a remote attacker to take over the live broadcast systems delivering matches to hundreds of millions of viewers.
The Vulnerability: Access Controls That Weren't Enforced
The flaw, detailed by Dark Reading, stemmed from a misconfiguration in FIFA's Microsoft Entra (formerly Azure Active Directory) tenant. While access policies appeared to be defined, they were not actually enforced on the underlying broadcast management systems — a gap that left an externally reachable attack surface with far weaker authentication and authorization than the configuration implied.
In identity and access management terms, this is a failure of policy enforcement rather than policy definition. Organizations often configure access controls correctly on paper but fail to verify that those controls are applied consistently at every resource, API endpoint, or management interface.
The result in this case: an attacker with knowledge of the flaw could have potentially accessed or manipulated systems controlling the live World Cup streams — the broadcasting infrastructure delivering match footage to global rights holders and streaming platforms.
"Rickrolled the World Cup"
Dark Reading's coverage colorfully noted that an attacker could have "Rickrolled the World Cup" — replacing match footage with arbitrary content — or, more seriously, disrupted, corrupted, or redirected broadcast signals in ways that could have caused significant financial and reputational damage to FIFA and its broadcast partners.
The actual risk goes beyond pranks. Broadcast infrastructure access could allow an attacker to:
- Inject unauthorized content into live streams
- Interrupt or black out coverage for specific regions
- Exfiltrate sensitive commercial agreements, rights holder data, or broadcast scheduling information
- Pivot into broader FIFA network infrastructure from the broadcast management systems
Entra Misconfiguration as a Pattern
Microsoft Entra misconfigurations have become an increasingly common finding in enterprise security assessments. The shift to cloud identity management has created new complexity: organizations that once managed access through on-premises Active Directory now operate hybrid or fully cloud-native identity stacks where policy enforcement requires deliberate configuration across multiple layers — Conditional Access policies, app registrations, enterprise application settings, and API permissions.
Common failure modes include:
- Conditional Access policies not scoped to all applications — policies that protect the Entra portal but leave specific application registrations or API endpoints unprotected
- Service principal over-permissioning — app registrations granted broader access than needed, which becomes a lateral movement vector if compromised
- Legacy authentication protocols left enabled — older protocols that bypass modern Conditional Access controls entirely
- Misconfigured guest access — allowing external users broader access than intended
FIFA's case appears to fall into the first category: defined but not fully applied controls leaving gaps in coverage.
Responsible Disclosure and Remediation
The vulnerability was reported through responsible disclosure, giving FIFA an opportunity to remediate before public disclosure. As of the Dark Reading report, the issue has been addressed — confirmed through coordination between the researcher and FIFA's security team.
The timing, with the World Cup actively underway, adds urgency to the finding. High-profile sporting events have historically attracted both opportunistic and nation-state threat actors who see disruption as an opportunity for embarrassment, political messaging, or financial gain. Broadcasting infrastructure represents a particularly visible target.
Lessons for Organizations
The FIFA flaw illustrates a gap that exists across many large organizations managing complex Microsoft 365 and Entra environments:
Assume policy definition does not equal policy enforcement. Regularly test whether Conditional Access policies actually block what they are supposed to block, using tools like the Entra "What If" analysis tool and regular penetration testing of externally accessible resources.
Inventory all enterprise applications and their access controls. Organizations frequently lose track of app registrations and service principals accumulated over time, some of which may have broader permissions than intended.
Include broadcast and operational technology in security scope. Media organizations, sports bodies, and event organizers often focus security resources on traditional IT systems while operational technology — broadcast management, event control systems, physical venue technology — receives less attention despite being equally or more impactful if compromised.
Source: Dark Reading